From d9c0b177008937bce110c3902479ad8c720f6b14 Mon Sep 17 00:00:00 2001
From: Monty <xiphmont@xiph.org>
Date: Mon, 18 Oct 2010 09:52:45 +0000
Subject: If fuzzing swaps in a codebook that allows values outside the
 circular range of the piecewise representation, it can overflow the lookup.
 Proper fix here is just a simple clamp.

git-svn-id: https://svn.xiph.org/trunk/Tremor@17543 0101bb08-14d6-0310-b084-bc0e0c8e3800
---
 floor1.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/floor1.c b/floor1.c
index d2a5be7..a408392 100644
--- a/floor1.c
+++ b/floor1.c
@@ -394,7 +394,7 @@ static void *floor1_inverse1(vorbis_block *vb,vorbis_look_floor *in){
 	  }
 	}
 
-	fit_value[i]=val+predicted;
+	fit_value[i]=(val+predicted)&0x7fff;;
 	fit_value[look->loneighbor[i-2]]&=0x7fff;
 	fit_value[look->hineighbor[i-2]]&=0x7fff;
 
@@ -425,14 +425,20 @@ static int floor1_inverse2(vorbis_block *vb,vorbis_look_floor *in,void *memo,
     int hx=0;
     int lx=0;
     int ly=fit_value[0]*info->mult;
+    /* guard lookup against out-of-rage values */
+    ly=(ly<0?0:ly>255?255:ly);
+
     for(j=1;j<look->posts;j++){
       int current=look->forward_index[j];
       int hy=fit_value[current]&0x7fff;
       if(hy==fit_value[current]){
 	
-	hy*=info->mult;
 	hx=info->postlist[current];
-	
+	hy*=info->mult;
+        /* guard lookup against out-of-rage values */
+        hy=(hy<0?0:hy>255?255:hy);
+
+
 	render_line(n,lx,hx,ly,hy,out);
 	
 	lx=hx;
-- 
cgit v1.2.1